Sorry, I'm not a native English writer.
If is not understandable, I was trying to confirm what you wrote... on other words 
It is not something that can be resolved to the satisfaction of those CVE-as-a-hobby writers…
Even when you would use HTTPS, there is still the problem that the device cannot initially have a trusted certificate, and while it would be possible to install one later it would be a risk as well to keep that valid.
HTTP management of newly installed devices like routers is just a fact of life, and it is upon the admin to make sure they are not intercepted during that procedure.
RESOLVED INVALID